IPsec questions

Started by dcol, April 15, 2025, 01:01:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2025, 01:01:08 AM
I have been trying to setup the New IPsec VPN and having issues. I think it is all certificate related.
I have been using the Legacy version for a couple years now and it is time to change because it is being retired, I read, and since OPNsense version 25.1 has been disconnecting clients randomly. I'm on my 4th day and I just cannot get the new IPsec VPN to work. The guides have a lot of mis-leading and incomplete info. Most I can figure out, but the sert section is troubling me.
This OPNsense box is ONLY being used for IPsec VPN access to one server and many clients using one dedicated WAN IP (ie 98.99.100.101).
I chose 'IPsec - Roadwarriors IKEv2'
Lets start with the basics - Certificates. I think this is my main source of trouble.
From the guide, I need just one Root Authority and one leaf certificate. I named the root authority 'IPsec CA' and the Certificate 'leaf-vpn'
Both certs are created in OPNsense using the Deciso guide and the 'IPsec CA' Trust Authority is downloaded then uploaded to the Windows 2022 server and installed via mmc.
The 'leaf-vpn' cert is created as a client/server certificate and also uploaded and installed on the server via mmc.
The downloaded 'leaf-vpn.crt' cert is also uploaded to the Windows 11 client. That certificate is installed with the following PowerShell command on Win11
'Import-Certificate -FilePath "leaf-vpn.crt"" -CertStoreLocation Cert:\LocalMachine\Root\'

I am not sure if I also need to use mmc to install the 'leaf-vpn.crt' cert to the Windows 11 client.

Am I missing any steps with these certificates?
Any help is greatly appreciated. Thanks, OPNsense is a fantastic product.
April 15, 2025, 04:55:25 PM #1
No one....
At least just a 'that will work', or a simple correction.
Please....
April 15, 2025, 05:58:17 PM #2
the whole eap-tls section was added here but its totally based on user feedback:

https://github.com/opnsense/docs/pull/651

Check the links in the PR for more information.

The part I tested is the whole mschapv2 setup, that I know of that it works.
Hardware:
DEC740
April 16, 2025, 01:55:23 AM #3
Thanks for response.
That commit was back in Jan. I am using OPNsense 25.1.5 so it should be there.
The error I get on the Windows 11 Client is 'IKE authentication credentials are unacceptable'
So ,from my first post, does it appear that the certs were added correctly?
Dan
April 16, 2025, 05:27:28 PM #4 Last Edit: April 16, 2025, 05:35:25 PM by dcol
Help, day 6 and I still can't get this to work.
Stuck at 'IKE authentication credentials are unacceptable' from the Windows 11 built-in client
Redid the certs multiple times. Where is there a guide that I can follow? The Deciso guide isn't right.
I think the main issue with the guides is the mix of New and Legacy info in them.
Keep in mind, this OPNsense box's only purpose is for this VPN. No other tasks are in this firewall.
Questions
What certs and types do the server and client actually need?
Which cert stores are these certs put in? Some guides say Trusted Root, some Personal store
Do I import all the certs via mmc?

I can't believe I am the only one with this issue. What am I missing?
When I finally get it working I will post a complete step-by-step guide in this forum that others can use.

Right now, I am using an internet-based VPN service and because of my connection speeds it is very slow.
When I used the OPNsense legacy IPsec it was fast and solid. But started disconnecting with OPNsense 25+
Please help!
April 16, 2025, 05:41:10 PM #5 Last Edit: April 16, 2025, 05:46:34 PM by Monviech (Cedrik)
I have written above that the deciso guide was written based on user feedback, and in the PR is a link to the forum post where it was discussed and the user posted their configuration.

There is no mix of connections and legacy in that guide.

Maybe you messed something up with the certificates.

The VPN server gets a server certificate, the client (windows 11) gets a client certificate and the CA certificate that issued both the server and the client certificates. Thats how I understood it in that forum post thats referenced.
Hardware:
DEC740
April 16, 2025, 07:26:12 PM #6 Last Edit: April 17, 2025, 01:23:48 AM by dcol
Since this is a VPN only box, I think I will go back to OPNsense 24.7 and use the legacy IPsec VPN
Since this box doesn't do anything else, should never have to update it.
Any way to permanetly prevent updates?
Legacy worked fine before version 25.
April 17, 2025, 05:44:17 PM #7
Reinstalled the older VPN, and now it is working again.
There is definetely some confusing/conflicting rules in the new IPsec VPN guides or they are missing something.
As I mentioned in previous post, I am just going to leave it alone now with OPNsense version 24.7.1 on a VPN dedicate box
Print
Go Up Pages1
User actions